CFR 21 compliance title 21 Section 11 of FDA regulations addresses the topic of electronic signatures and documents. Electronic signatures must meet the equivalent requirements that handwritten signatures meet and must be verifiable and authentic. The means of achieving this will be addressed in the article.
Electronic documents are related yet separate topics as documents with wet signatures can be kept in electronic format provided digital signatures are available. The combination of electronic records and signatures are a business decision that will be discussed, as well.
Electronic Signatures
To be authentic, these signatures must exist for each individual user, and can only be used by each signature’s genuine owner. The electronic system must be able to be authenticated and thus will need to have a login for each user so that the relative signatures are not available to any individual with access to the system.
The signatures and their uses, logins, time stamps, and other authentication data must be logged and available for review. There are several companies that provide services with the compliant tools for electronic signatures.
RightSignature is a company that provides legally binding electronic signature and captures all the metadata associated with the user, device, location, and other signature data. eFileCabinet integrates with RightSignature.
Electronic Documents Requirements as Defined in CFR 21 Section 11
To achieve CFR 21 compliance, validation of systems to ensure accuracy, reliability, consistent intended performance, and the ability to discern invalid or altered records is needed.
This requirement means the DMS must require a login that is individual to each user, must have the ability to track changes or versioning in documents, and must lock out users from making changes to documents.
eFileCabinet requires individual user logins and allows for user permissions at both the user level and the document level. Individual users or user groups can be blocked from editing or deleting programs.
In addition, at specific levels of the filing cabinet, documents and folders can be protected from editing or deleting, even from users who have permission to perform such actions.
The ability to generate accurate and complete records in readable format
The documents should not be regenerated within a DMS to another file type specific to the DMS. Additionally, the document should be able to be review-able and coherent.
Some DMS programs pull in a document type (such as a PDF) and turn it into a proprietary file type that requires the DMS to read the document. This type of a Document Management System is not advisable for this requirement.
eFileCabinet does not alter the document type. Word, Excel, Text, PDF, Msg, and other file types maintain their integrity as the original document type.
Protection of Records to Maintain Accurate and Ready Retrieval
This requirement is met in two separate functions. 1) The protection of the records and 2) the ability to ensure retrieval. First, records must be protected from tampering or unauthorized use.
This is accomplished by encrypting the documents so that unauthorized back door access is not permitted. Second, the record must be protected from disasters or other accidents and system failures so that the documents remain available for easy retrieval.
This is accomplished through a backup of the documents that is kept in a location separate from the original location.
eFileCabinet meets these requirements by encrypting all data stored in the system, requiring each individual user to have unique logins and passwords, and providing a backup service that saves a minimum of three backups in three separate parts of the United States.
In addition, the advanced search capabilities of eFileCabinet provide simple, fast, and accurate retrieval of documents.
Role-based Permissions to Authorized Individuals
which is done through individual logins and role-based authority as explained above.
eFileCabinet makes it easy and simple to designate authority both in the functions of individual users, but also to the access within the cabinet of those users. Not all users should typically have access to all documents and access to the various levels of the electronic documents should be controlled on a need-to-know basis.
CFR 21 Compliance for Computer-generated, Time-stamped Audit Trails
These audit records or trails should be independent records that don’t affect the actual document and its data. The audit trail should be unalterable and not able to be deleted.
eFileCabinet audit trails contain all of the above requirements and are only accessible to admin persons. General users will not know or be able to view the records of documents viewed, altered, or deleted.
This helps to maintain true transparency in actions. Further, the audit trails in eFileCabinet also record views of documents so the managers can maintain the true integrity and use of the records contained in the cabinet.
Use of Operational Checks to Enforce Permitted Sequencing of Steps and Events
This is an operational function that cannot be fully controlled in an electronic document management system.
Business organizations need to have the proper protocols for document functions and the proper training to ensure that all employees are aware of and capable of following the correct sequencing of steps.
However, DMS can help by providing workflow capability to automate document processes.
eFileCabinet’s workflow allows for any action that can be taken on a physical document to be taken on a physical document. The document can move from one approval level to another approval level.
It can be done on an individual basis or a group basis. Retention can be applied, naming conventions and file location can be managed. Many more functions are available through workflow.
Use of Document Management Authority Checks
Auditing capacity is yet another operational function that is made easier through a quality document management system.
User authority, audit logs, and workflow are all functions that make managing this requirement easier.
eFileCabinet provides all these tools and comprehensive training that makes even these difficult tasks easy and simple to use.
This document has covered CFR 21 Compliance Section 11 bullet points “a” – “h”. Bullet points “i” – “k” are operational requirements
When an organization has electronic documents, it is vital that your business maintain written policies and procedures, including the controls over user permissions and functions, which should be reviewed on a regular basis.
It is recommended that audit reviews, user permissions, and review of user controls occur on at least an annual basis.
Transitioning to electronic documents can seem overwhelming, particularly with the regulatory requirements of CFR 21 compliance, but it can be an easy task with the right document management system.
Electronic records are easier and less costly to secure on an individual user basis than paper documents. Further maintenance, retention, protection, and audit trails are much more accurate and precise than is possible in a paper environment.